Impact of GDPR on SAP HCM
The European General Data Protection Regulation (GDPR) came into effect on May 25, 2018, after a two-year transition period. But what specific changes does this bring for companies, and how can the existing requirements be implemented in the use of SAP? What should be considered, especially in the processing of personal data, which is common in HR departments? As your service partner, we are here to assist you with questions and the technical implementation of GDPR regulations. Here are the key points summarized for you:
GDPR introduces stricter accountability requirements. Companies must be able to demonstrate compliance with the principles of processing personal data as per Article 5 of GDPR and have appropriate data protection measures in place. In this context, companies should review and adapt their data protection measures. Below are some important measures to be carried out in this context:
- Data Mapping
Review of internal and external data flows, closing potential security gaps in information processes. - Data Storage Strategy
Creation of a data directory that includes lawful retention periods, the reasons for data collection and processing, as well as access rights for personal data. - Employee Awareness
Employees should receive training on handling personal data. - Respecting Individual Rights
Employees have rights such as the “right to be forgotten” and the “right to data portability” for their personal data. Technical feasibility within the system is required in this context. - Legal Data Processing and Contract Review
With your business partners, ensure compliance with data processing agreements, among other legal requirements. This way, your company can ensure that personal data is properly processed by third parties. Failure to ensure proper processing of personal data by third parties can lead to liability for your company. - Process Adaptation
Data controllers must inform the data protection authority of data breaches within 72 hours. Additionally, affected individuals must be informed. Therefore, appropriate security and emergency processes should be integrated into the operational procedures.
In case of violations of the GDPR, companies or data processors can be held liable to data subjects (Article 82 GDPR). Furthermore, additional sanctions can be imposed in accordance with Articles 83 et seq. GDPR. This can include fines of up to €20,000,000 or up to 4% of the company’s global annual turnover.
Implementation in SAP:
SAP provides the Information Lifecycle Management (ILM) tool for data retention, blocking, and deletion. With the use of ILM, the entire lifecycle of SAP data can be automated and managed.
- ILM Rules: ILM allows for the establishment of rules, which can include data retention rules and periods in accordance with legal requirements in SAP.
- Data Archiving: ILM can be used to establish rules for data retention and periods in accordance with legal requirements in SAP.
- Data Deletion: Data can be deleted according to the rules defined in ILM. This step can be taken without prior archiving into an archiving system.